OpenVPN/OpenWRT

From Secure Computing Wiki
Revision as of 09:47, 27 June 2010 by Cron2 (Talk | contribs) (Makefile fixes, some more explanatory text)

Jump to: navigation, search

OpenVPN-devel package for OpenVPN

OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.

OpenWRT comes with an OpenVPN package based on the mainstream 2.1 release (as of 2010/06/27).

If you want IPv6 support or any of the other features in the development tree, you have to build your own package, based on the openvpn-devel sources. Given that OpenWRT packages are not for standard i386/amd64 CPUs but usually some sort of MIPS system, you need a cross-compilation environment and special tools - but that's all already provided by the OpenWRT folks, so you just need to add a few bits to add your own package.

how to build

  1. get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed:

    svn co svn://svn.openwrt.org/openwrt/branches/backfire/

  2. get the OpenWRT package tree from SVN and "install" (put all the symlinks where they are needed):

    cd backfire
    ./scripts/feeds update
    ./scripts/feeds install -a

  3. now add a directory for "openvpn-devel" (the package tree has "openvpn" already), and copy a few files from the existing openvpn package (we're lazy):

    backfire$ cd package
    backfire/package$ mkdir openvpn_devel
    backfire/package$ cd openvpn_devel
    backfire/package/openvpn_devel$ cp -r ../feeds/packages/openvpn/files .
    backfire/package/openvpn_devel$

    (you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)

  4. copy-paste the following text to a file named "Makefile" in this directory:
    #
    # Makefile for openvpn-devel package for OpenWRT
    #
    
    include $(TOPDIR)/rules.mk
    
    PKG_NAME:=openvpn_devel
    # this is "2010, week 26"
    PKG_VERSION:=201026
    # BUILD_DIR has to accomodate path naming of source tarball
    PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel
    PKG_RELEASE:=1
    
    PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz
    PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
    # if you change the PKG_VERSION, adjust this checksum ("md5sum $PKG_SOURCE")
    PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
    
    PKG_INSTALL:=1
    
    include $(INCLUDE_DIR)/package.mk
    
    define Package/openvpn_devel
      SECTION:=net
      CATEGORY:=Network
      DEPENDS:=+kmod-tun +kmod-ipv6 +libopenssl +liblzo +ip
      TITLE:=Open source VPN solution using SSL - DEVEL VERSION
      URL:=http://openvpn.net
      SUBMENU:=VPN
    endef
    
    define Package/openvpn_devel/conffiles
    /etc/config/openvpn
    endef
    
    define Package/openvpn_devel/description
             Open source VPN solution using SSL - DEVEL VERSION, Week $(PKG_VERSION)
    endef
    
    define Build/Configure
            $(call Build/Configure/Default, \
                    --disable-pthread \
                    --disable-debug \
                    --disable-plugins \
                    --enable-management \
                    --disable-socks \
                    --enable-password-save \
                    --enable-iproute2 \
                    --with-iproute-path=/usr/sbin/ip \
                    ,\
                    ac_cv_func_epoll_create=no \
            )
    endef
    
    define Package/openvpn_devel/install
            $(INSTALL_DIR) $(1)/usr/sbin
            $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
            $(INSTALL_DIR) $(1)/etc/init.d/
            $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
            $(INSTALL_DIR) $(1)/etc/config
            $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
            $(INSTALL_DIR) $(1)/etc/openvpn
    endef
    
    $(eval $(call BuildPackage,openvpn_devel))
    
    
    
  5. go back to the top level directory and run the config scripts:

    backfire/package/openvpn_devel$ cd ../..
    backfire$ make defconfig
    backfire$ make menuconfig

    1. in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x"). Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts. The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
    2. go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected)
    3. then "exit" -> "exit" -> "exit" -> "save config -> yes"

  6. run "make" and wait... - this will take a long time, building the C compiler (for cross-building to MIPS cpu) and the target system's C library etc. first.

    backfire$ make
    make[1] world
    make[2] target/compile
    make[3] -C target/linux compile
    ...
    make[3] -C package/zlib compile
    make[3] -C package/openssl compile
    make[3] -C package/iproute2 compile
    make[3] -C package/iptables compile
    make[3] -C package/firewall compile
    make[3] -C package/hostapd compile
    make[3] -C package/kernel compile
    make[3] -C package/mtd compile
    make[3] -C package/openvpn_devel compile <<<<< :-)
    make[3] -C package/opkg compile
    ...
    make[3] package/preconfig
    make[2] target/install
    make[3] -C target/linux install
    make[2] package/index
    backfire$

  7. now you have an openvpn_devel package in ./bin/ar71xx/packages/

    backfire$ ls -l bin/ar71xx/packages/
    ...
    -rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk
    ...

    </ol>

    Installing the package

    Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":

    root@openwrt:/tmp$ opkg update
    ...
    root@openwrt:/tmp$ wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk
    root@openwrt:/tmp$ opkg install openvpn*ipk
    (copy-paste from life router to-be-done)